2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.

Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.

Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?

Do you feel that you’ve been hearing a lot about data breaches lately? You are right! Take a look at the chart below. There is plenty of time left in September, but the data breach calendar is already filled with victim names. And August? I don’t even have enough space to put down all the victim names.

If anyone believes that if we do a great job, we can fully guard our data and valuable information assets against attacks and breaches, now it’s time to think again. The reality is, data breaches can happen to anyone. They are happening everywhere from household names, to lesser-known businesses or organizations, and to the mighty government of the United States. The question is no longer “if”, it is “when”.

However, this does not mean that we will just give up. On the contrary, we need new thinking. And get prepared. We need to be prepared before breaches take place to minimize their chances to succeed. We need to be prepared during breaches to detect and stop them. And we need to be prepared to rapidly apply mitigations after breaches. We cannot totally eliminate these risks, but we can control and minimize them. Read More »

Cybersecurity is a hot topic and a major concern for all organizations. No one is immune, and indeed, higher education institutions can fall victim to large breaches as well. In fact, according to PrivacyRights.org, below are a few examples from the last 6 months:

Date

Name

Records Lost

22-Apr-14

Iowa State University

29,780

27-Mar-14

The University of Wisconsin-Parkside

15,000

20-Mar-14

Auburn University

Unknown

6-Mar-14

North Dakota State University

290,000

26-Feb-14

Indiana University

146,000

19-Feb-14

University of Maryland

309,079

27-Nov-13

Maricopa County Community College District

2,490,000

Theft, intellectual property loss, and loss of individual’s personal data affect all organizations in varying degrees. While higher education institutions face many of the same challenges as government and commercial organizations, they also have worries that are unique to their environments. Some of the higher education specific cybersecurity topics include:

Data Privacy & Security – Colleges posses the Personal Identifying Information (PII) of their students AND students parents, faculty and alumni – the numbers add up quickly. In addition to the usual PII, this can also include: medical, financial, academic and other data.

Device Mobility – The average student currently has 3 devices and this is expected to grow to 5 devices in the next few years.

Protecting Intellectual Capital – Research universities have become a prime target for intellectual property theft. They risk loosing valuable data and the possibility of losing grant funding.

Threats have become more sophisticated and protecting the enterprise with these topics in mind needs to be more sophisticated also. It is no longer enough to harden access to the network and think you are OK. Because the bad guys trying to steal your data are using so many different types of attack, effective defense requires a multi-level approach.

Cisco recently acquired SourceFire, and we have adopted their frequent question to customers: “If you knew you were going to be breached, what would you do differently?” The 2014 Cisco Annual Security Report studied the web traffic of corporate networks and every one had connections to domains that are known malware threat sites or threat vectors – an indication that bad things are on every one of these networks and likely on most networks. Think about the question again – what would YOU do differently? That is what we all should be doing.

We recommend looking at the Attack Continuum of “Before, During, and After” with the following actions for each phase:

Before an attack you want to harden your network, to enforce security policies with controlled, segmented access to resources.

During an attack you want to defend your network by detecting the threats and blocking them from getting in.

After an attack you want to contain the threat, determine the scope of the problem, remediate the damage, and get back to educating students.

The conventional perimeter protections such as firewalls, intrusion prevention, and anti-virus are still part of a good defense in depth framework, but more is now needed. We offer many parts of the solution, of course, and have experts who work with universities to address their specific security needs. But no matter who you work with, please look carefully at what you can do differently to protect your students and your institution from these new, advanced threats.

Our upcoming whitepaper will focus on some of these trends, challenges and strategies for higher education. You can register to receive the whitepaper as well as a compilation of all the #HigherEdThursdays blog series upon completion. Reserve your copy now.

From peeking at Brittany Spears medical records to the theft of almost five million medical records from a tape back-up, no healthcare issue garners more adverse publicity, or passion, than violations of patient privacy. While you might expect that since the institution of HIPAA and quarter million dollar fines that this is relatively uncommon now, you would be wrong. A stunning incidence of nearly 18 million breaches of privacy has occurred over the past two years according to a recent report from ANSI, the American National Standards Institute. That is equivalent to the population of the states of Florida or New York.

As the world moves towards adoption of Electronic Health Records and Health Information Exchanges, concern for the vulnerability of private health information is escalating as the scale of these data breaches reach epic proportions. A West Coast health care system experienced the theft of electronic health information for 4 million of its patients. And another major academic medical center inadvertently disclosed the electronic health records of 20,000 of its patients. The risks are real and global. And they leave an organization – any organization – subject to severe legal and financial damage, not to mention the damage to their reputation. None of these organizations were cavalier about their security compliance. But let’s face it, the workforce is larger and more mobile. The data is more prolific and ubiquitous and takes on many different forms. And the thieves are getting more sophisticated.

But so are the solutions. In the past, it was necessary to balance mobility with security-the more mobile, the less secure. Not anymore. Cisco’s AnyConnect combines industry-leading Cisco cloud and premises-based web security and next generation remote access technology to deliver the most robust and secure enterprise mobility solution on the market today.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.